Upload
lily-isaacson
View
383
Download
0
Embed Size (px)
Citation preview
RESPECTING PRIVACY LAWS AND PATIENT CONFIDENTIALITY
Excellence in Action
Objectives of this Presentation
To explain the HIPAA Law and its background, including: What information is protected Who is required to follow HIPAA Laws Consequences for violating patient privacy Examples of HIPAA violations How to remain in compliance with the laws Reporting breaches of privacy
To provide scenarios for deeper understanding of the law
Introduction to the HIPAA Privacy Laws
HIPAA
The Health Insurance Portability and Accountability Act
HIPAA protects: Security and privacy of all medical
records Health information used or shared
in any form Patients’ rights
Gives patients access to their information and control over its use
What is at stake: Privacy of care Security of personal health
information (PHI) to avoid medical identity theft
Electronic health records Computerized physician orders
HIPAA Protects Personal Health Information (PHI)
PHI is information that relates to: Patients’ health Care provided to patients Payment for care provided
Information that can be used to identify the patient Name Address Birthday Social security number Medical record number
PHI is protected in every form Spoken Electronic Written
Any PHI must be kept confidential unless authorized by the patient or someone acting on patient’s behalf Unless permitted by
HIPAA
Covered Entities
Entities required by law to follow HIPAA rules
Facilities that provide or bill for medical care and services Hospitals Nursing (long-term or geriatric)
facilities Physician offices
Organizations that pay for care or process care financial and administrative information Insurance/claims/billing
companies Health care clearing houses Associates and administrators
working for these organizations
Consequences for Violating HIPAA Rules
TerminationSuspensionCriminal penalties
$50,000-$1.5 million fines
Up to 10 years of imprisonment
Civil penalties Fines ranging from $100-
$25,000 per violation More fines for multiple-
year violations
Insurance Companies Laboratory Technicians
Insurance companies need to access PHI to process claims
Sharing this information with a patient’s employer would be a violation of HIPAA regulations Employers do not need to
know patients’ PHI
Physicians and nurses need full access to patients’ health records to provide care
Lab technicians only need to perform tests the physicians ordered Looking into the patients’
PHI would violate HIPAA rules
Examples of HIPAA Violations
Physicians and Nurses
Everyone wants medical privacy
Using their position to access records they do not need to do their job Accessing coworkers’ records Accessing records of
celebrities Accessing PHI of family
members they are not treatingAccessing records for
personal gain To gossip Curiosity
Examples of HIPAA Violations
Scenario 1: The Intern
Anna is an intern at the University of Idaho’s Pain Clinic. She does not have access to medical information but sees patients and hears about their medical conditions. Can she discuss these patients with her coworkers, friends, or family?
To follow the HIPAA privacy rules, Anna cannot discuss any patient information with anyone unless it is required for her job.
However, Anna can talk with others about the patients if she omits information that personally identifies the patients.
Scenario 2: The Celebrity
Chris, a nurse in Overlake Hospital’s Emergency Department, just saw Oprah Winfrey enter the hospital with intense abdominal pain. He wants to check on the celebrity so he can tell his friends why she was admitted. Can Chris ask his friend Sandy (in admitting) to look up Oprah’s room number?
Under HIPAA, checking on Oprah would be a breach of privacy. Knowledge of Oprah’s medical condition is not required for Chris to perform his job duties, and he is only interested in her condition for personal gain.
How would Chris feel if everyone gossiped about his abdominal pain?
Respecting Patient Privacy
To remain in compliance with HIPAA laws: Healthcare providers should give patients a Notice of
Privacy Practices (NOPP) Illustrates how the care provider will use the patients’
PHI Tells patients their privacy rights Allows PHI to be used for treatment, payment, and
operations Covered entities must only access the minimum
amount of PHI necessary to perform their job duties
Respecting Patient Privacy
Ways to protect PHI include: Being aware of your surroundings when talking about
PHI Leaving telephone messages that include no PHI Ask yourself, “What if people were discussing my PHI
like this?” Check work areas to ensure no PHI is left unattended Seal envelopes very well before sending Dispose of PHI in secured bins for destruction On the computer
Use (and regularly reset) passwords Do not leave computer unattended
Examples of Privacy Breaches
Talking too loudly in public areas
Emails or faxes sent to the wrong person, address, or phone number
Failure to log off of computers (allowing others to access database)
Loss, theft, or improper disposal of items containing PHI Paper, mail Films, charts CDs, flash drives
Unprotected computer systems being hacked into
HIPAA Breaches Nationwide
Report ImmediatelyNo Retaliation for Reporting
Report to your direct supervisor: Stolen or missing devices
containing PHI Suspicious behavior
State laws require that privacy breach incidents be reported to the state’s Department of Public Health within a few days
Under HIPAA, covered entities cannot retaliate against employees for reporting privacy breaches
Reporting HIPAA Violations
Resources
HBVideocast. (n.d.). “Health Information Privacy”. Retrieved August 2, 2013 from http://www.youtube.com/watch?v=TSvh5kkZskU.
The Regents of University of California. (2011). “HIPAA 101: Privacy and Security Training”. Retrieved August 2, 2013 from http://hipaa.ucsf.edu/education/downloads/HIPAA101Training.pdf.
U.S. Department of Health and Human Services. (n.d.). Summary of the HIPAA Privacy Rule. Retrieved August 2, 2013 from http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/.